VLANs for Dummies

I’m still trying to wrap my head around some more “intermediate” networking like VLANs. We install Control4 systems (which are IP based) and also a lot of analog CCTV & networked DVRs, or IP cams and NVRs, etc. For a long time I’ve heard that if you can isolate the Control4 equipment from everything else, things tend to run smoother and faster.

I understand the basic concept of VLANs, but am fuzzy on how to implement them. I’m also a bit unclear as to the practical differences between VLANs and just putting devices on different subnets. As I understand it, subnets isolate the broadcast between them, but again I’m still fuzzy on the whole thing.

Let’s say I want to do a setup like this:

Main home network - 192.168.1.xxx
Control4 network - 192.168.4.xxx
IP cameras - 192.168.10.xxx

Each subnet would need access to the internet and the .4 and .10 would need access coming in from the WAN.
The DVR/NVR on the .10 would also need to be able to be accessed from certain PCs on the .1 subnet.
The main Control4 processor would typically also need to be accessed from PCs or iPads/iPhones on the .1 subnet.
Then ideally my laptop would be able to easily access all three ‘networks’.

Can anyone give me a high-level overview of how to accomplish what I’m looking to do? I’ll do the work to figure out how to implement it, but I definitely need some direction.

Thanks!
jim

I’m also a bit unclear as to the practical differences between VLANs and just putting devices on different subnets. As I understand it, subnets isolate the broadcast between them, but again I’m still fuzzy on the whole thing.

That’s more or less it.

“Subnet” or “network” is a different way to say “broadcast domain”, which is the area that a packet broadcast to all hosts on a network can reach.

You can have separate networks simply by having a router with multiple ports, and configuring each port as a separate network, and then connecting physically separate switches to each of the ports. Now the devices on those switches are on different networks. That’s how things used to work.

At some point it became too expensive to operate all these physically different switches - not just buying them, but they also all need separate power, rack space, cooling, maintenance, warranties, and so on. So the VLAN was invented. Each VLAN is its own broadcast domain, just as if it was physically separate from all other VLANs even though the physical infrastructure is the same. You use a router to get packets from VLANs to other VLANs - just as if they were on different ports on the router - but now you can have logical interfaces (VLAN interfaces) with many of them stacked on just one physical port, and switches that understand VLANs and keep broadcasts internal to a VLAN only by tracking which switch port is on which VLAN. Logically it’s still as if everything was physically separate, it’s just an abstraction.

Routers by default route between all directly connected networks. That’s the whole purpose of a router, so that’s what it will do.

If you were keeping things physical you could take a router with 4 ports and configure one for WAN uplink, one for the home network, one for the control4 network, and one for the IP cameras. Buy different switches to connect the 3 internal networks back to the appropriate router ports and you’re done, everything else you mention happens automatically (except for WAN access, which you configure exactly the same as if there was only one internal network - you port forward (configure source and destination NAT appropriately while making sure the IP firewall filters allow that traffic)). If you want to use VLANs you get VLAN capable switches, on the router make 3 VLAN interfaces tied to one physical interface, assign the IP addressing to the VLAN interfaces, and connect the switch for those 3 VLANs. Then you connect the equipment as you did before, taking care to assign the switch ports to the right VLANs. That’s it. Literally the only things that change is that
a) the IP addressing resides on VLAN interfaces rather than ethernet interfaces
b) you have to configure the switch appropriately to get the equipment on the appropriate VLANs.

Hope that helps.

Very interesting. Yes, that helps a lot.

So “port-based VLAN” is really no different than setting up a different network/subnet on each port?

What do you have to put in place to get access to one device on VLAN/subnet 1 from a device on VLAN/subnet 2 ? I’m thinking you need a static route - yet another thing I’m fuzzy on.

Thanks

As fewi said, if you subnet your network you have to use separate switches for each subnet. Otherwise you will have a mess, especialy if you need DHCP on each subnet.

VLAN allows you to use ne physical switch and make virtual switches within it. Even more, if you havemore switches that support VLAN then they all act like one single physical switch that you may divide to several virtual switches. VLAN can spread to several physical switches.

This means if you have thre devices in the same room, and each has to conenct to separate subnet, you can simply attach them to VLAN switch and then assign physical switch ports to virtual switches.

Then, you assign each VLAN to subnet and that is it: with very few devices, very few cables and quite an easy setup you have three separate physical networks.

What do you have to put in place to get access to one device on VLAN/subnet 1 from a device on VLAN/subnet 2 ? I’m thinking you need a static route - yet another thing I’m fuzzy on.
Nothing. The router has interfaces on all VLANs so it just routes between them as long as the devices on the different VLANs are using the router’s IP on their VLAN as the default gateway.

So do you do have to use a ‘smart’ switch in each room? We typically use small switches like Netgear’s GS105 or GS108 in a room while the main rack and network equipment is in the basement or mechanical room. I’m not sure how that would work unless the router is assigning static DHCP to each device and putting it on specific subnet (and no idea if that’s how it would work anyway)

edit - forgot about the 250GS for $39…

If you want to use VLANs then you have to use smart switches, at least to the point when everything else goes to single VLAN.

I see you constantly mix routing and TCP/IP services with VLANS. Vlans are just virtual switches. They work on lower layer.

VLANs just help you not to implement three physical networks (with separate cabling and non smart switches) for three subnets.

Instead, you have one physical network (using one cabling infrastructure and smart switches) and then separate it in three virtual LANs (VLANs). That allows you to assign any port on any switch to any VLAN.

Thanks for all the help, guys. This is making more sense than it ever has.

Another question. I have a situation on a job where it looks like there will be:

RB750GL port 2 → Netgear JGS524 (dumb 24 port gig switch) → all Control4 equipment, Ruckus ZD, any wired LAN outlets
port 3 → Planet Networks 8 port POE smart switch → 4x Ruckus WAPs and 3x Control4 touchscreens

(Unfortunately the budget on this job won’t allow us to put in a smart Netgear switch and call it a day, we’re just adding the POE switch)

I would like to keep the WAPs and C4 touchscreens (& rest of C4 equipment) on different VLANs if possible. Going from port 3 of the 750 to the Planet switch will be fine, but the rest of the C4 system will be on the JGS524 which doesn’t support VLANs.

Is there a way I could use static DHCP reservations in the 750 to ‘assign’ a VLAN to specific devices? That way all “my” devices would be hard-coded to a static DHCP address and VLAN (assuming you can even do it that way) and maybe the main home network could be on a different DHCP pool and VLAN.

I’m not above just throwing all this on one ‘network’ and being done with it, especially if there’s going to be big learning curve on this.

thx

You are, again, mixing TCP/IP with VLANs. TCP/IP has nothing to do with VLANs.

If you want to achieve three networks in single lan, that is possible. Assign three IP ranges to the same interface, and use DHCP to assign IPs to specific devices within needed IP ranges. That would work.

Atually, that is done exactly as you have ip ranges on separate interfaces, except, you do it all on one interface.

There is just one limitation: you will have to use static IPs on two networks, as just one can use dynamic IP pool on DHCP.

I must just have my terminology wrong, because that’s exactly what I had in my head.

thanks

You do have your terminology, because that has nothing to do with VLANs whatsoever, and is a fairly dirty approach that doesn’t gain you squat. With the broadcast domain of all three networks overlaid to one logical or physical network you have absolutely no benefits in regards to security or traffic flow. You might just as well use the same IP network for everything - that would actually be the better and cleaner solution.

you did see the thread title I picked says “for Dummies” in it, right?

I think some of the confusion is coming from the definition of a “broadcast domain”.

A broadcast domain functions on Layer 2 of the OSI model, and is independent of IP addresses and subnets. If you were to send out a packet with the broadcast MAC address (FF:FF:FF:FF:FF:FF), everything on the same broadcast domain sees that packet, and has to check if it is relevant or not. This becomes a big deal with embedded systems since they typically have limited processing power. Packets like ARP are processed even if they are for PC’s on a different subnet. If you are in a broadcast domain with multiple subnets, you can open a network sniffer (like Wireshark) and see broadcast packets from the different subnets.

IP Video can make this even worse if it uses multicast. If you aren’t using switches with IGMP snooping or some other method to isolate traffic (like VLANs), then a couple IP cameras can easily overwhelm small embedded devices with a flood of packets. If if the device isn’t “using” the video, it still receives the packet and has to do some small amount of processing before it knows it can ignore the packet.

VLANs provide us a way to break up broadcast domains. They are very effective, but require managed switches throughout your network. In a VLAN enabled network, there are two types of packets, tagged and untagged. Untagged packets are your typical, every-day ethernet frames. Tagged packets have an 802.1Q VLAN header on them, marking what VLAN they belong to. Likewise, every port in a managed switch has one untagged VLAN assigned to it and potentially one or more tagged VLANS.

Let’s use an exampe from the wiki, here we have two managed switchs linked together and a handful of clients on them.

When the first client sends an untagged packet to the switch, the switch checks its config and sees the port is assigned VLAN1, so it puts a VLAN 1 tag on packet and goes to forward it on. The switch sees no other ports marked as “Untagged VLAN 1”, but it does see an uplink with “Tagged VLAN 1” on it, so it leaves the tag on, and sends the packet out that port. At this point the seconds switch gets the packet and looks at the header. It sees the VLAN 1 tag, and checks its config. It has a port marked “Untagged VLAN 1”, so it strips the VLAN 1 tag off and sends it out the appropriate port. Computers attached to VLAN 2 and VLAN 3 never saw the packet.

VLANs are designed to be transparent to the end device, because the client should only send and receive untagged packets and let the switch handle all the VLAN work. Some care must be taken to only send tagged packets to VLAN aware devices, otherwise some unexpected issues can result. When you send tagged packets to an unmanaged switch, any number of things can happen. The packets can be switched out all ports with the VLAN tag intact, the packet can be discarded as invalid, or the vlan tag can be stripped off and the packet forwarded on as untagged. This last scenario is unfortunately fairly common, and results in your VLANs all being bridged together, thus removing the isolation we were working for.

Unfortunately, with your current design, unless you can upgrade the Netgear JGS524 to a smart switch of some sort, VLANs won’t be very practical or effective for you. I hope that at least this will give you a little bit better clarity as to how VLANs work and fit in to a network design. If it is still a little confusing, don’t feel bad. VLANs are a very hard subject that still trips up a lot of seasoned networking vets (the fact that no two vendors seem to use the same terminology doesn’t really help, either). If you have any other questions, just ask.

Great post, thank you.

I can’t change out that unmanaged switch at this point, but maybe I can isolate the JGS524 to just be the Control4 equipment. It can connect to a port on the RB750GL which would handle the VLAN assignment. All the devices on that VLAN would be sending and receiving untagged packets, and the outgoing traffic from that port on the 750 could be set to strip the VLAN header

Then the Planet Network PoE switch could be on a different port of the RB750GL and could be a trunk between the two. The Planet switch could assign VLANs to the touchscreens through its ports, and the Ruckus is certainly VLAN capable and could tag different SSID’s with different VLAN headers (homeowner SSID, guest SSID, our SSID).

The only downside to this (so far, I think) is anything plugged into the JGS524 in the future would automatically be in the “Control4 VLAN”.

Still not sure if I’m brave enough to try this on this particular job, but does that sound right?

Hi. Have a look at RB250. Small Vlan capable switch, probably designed for something like this..